Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 5 subscribers
  • Views 14037 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic between Internal network and VLAN has suddenly stopped

Sam Marschke

So I have a setup where the internal LAN and VLAN 200 need to talk to eachother, this worked in the past with the same settings however sometime in the last 2 months the VLAN has stopped receiving Inbound traffic.

 It's a SG330 on firmware 9.502-4

My rules are:

Firewall Rule 1:

VLAN -> any -> LAN

Allow

 

Firewall Rule 2:

LAN -> and -> VLAN

Allow

 

SNAT Rule 1:

LAN -> any -> VLAN

Change Source: VLAN

 

SNAT Rule 2:

VLAN -> any -> LAN

Change Source: LAN

 

Now just to test I also created another VLAN on a different interface going to a different switch - same issue. The VLAN interface transmits but doesn't receive - The sophos couldn't ping the switch and the switch couldn't ping the sophos.

Network Usage of the vlan interface:

Interface Usage VLAN 200 (eth0.200) (inbound) 0.00 bps 0.00 bps 0.00 bps 0.00 bps
 
Interface Usage VLAN 200 (eth0.200) (outbound)		 760.00 bps 0.00 bps 245.00 bps 373.00 bps


This thread was automatically locked due to age.
Parents
  • 0

    I don't really understand why you have the SNAT rules. When both networks are connected to Sophos UTM and both networks (and the devices in it) point to Sophos UTM as default gateway, then no NAT should be necessary and only the firewall rules are needed (which look to be good).

    So, do you have all hosts pointing to UTM as default gateway?

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    All pointing to the UTM as default gateway, but everything that is under the VLAN cannot ping/interact with the gateway at all.

  • 0 in reply to Sam Marschke

    How did you connect and configure your switches and/or hosts to your VLAN configured interface? You should configure a switch with 802.1q VLAN config using the same VLAN ID's as configured in UTM (VLAN 1 shouldn't be used since it is reserved for wireless in UTM). All VLAN's usually need to be configured as Tagged on the port connecting to the UTM interface.

    Your hosts should be connected to the switch (usually on untagged port in the required VLAN).

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Reply
  • 0 in reply to Sam Marschke

    How did you connect and configure your switches and/or hosts to your VLAN configured interface? You should configure a switch with 802.1q VLAN config using the same VLAN ID's as configured in UTM (VLAN 1 shouldn't be used since it is reserved for wireless in UTM). All VLAN's usually need to be configured as Tagged on the port connecting to the UTM interface.

    Your hosts should be connected to the switch (usually on untagged port in the required VLAN).

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Children
  • 0 in reply to apijnappels

    That's how it's set up, which used to work fine, but for some reason its just stopped accepting traffic.

  • 0 in reply to Sam Marschke

    Any hints in the firewall logs on whether the traffic is allowed or not?

    Are you sure the switch is still operating as it should (No power outage and "forgotten" to save running config)?

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    Firewall logs just has entries labeled "log", only going from internal lan -> vlan. No allows or denys for it. And nothing logged for vlan -> lan.

    I've resaved config again and rebooted switch but no joy.

    Its really got me stumped. We have a second sophos in HA that is sync'd up and we're having the same issue there which makes me think its a config issue somewhere. But everything looks sweet.

  • 0 in reply to Sam Marschke

    Hi, Sam, and welcome to the UTM Community!

    Pinging is regulated on the 'ICMP' tab of 'Firewall'.  The "Any" Service only includes TCP and UDP - none of the other IP Protocols are included.  If pings weren't going through because of the firewall settings, they should have shown as blocked in the Firewall log.  If you have an explicit drop rule at the end of your ruleset, that would hide "default drop" messages.

    Agreed that the SNAT rules are unnecessary.  If you're having routing problems, they would appear to be issues outside the UTM unless the VLAN is not configured on the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML